Apple on Friday issued a note to developers outlining a fix for an in-app purchasing exploit that allowed for the free download of for-pay content, and also announced that the loophole will be plugged when iOS 6 is released this fall.

Per CNET, in its support document for iOS app developers, Apple recommends that apps featuring in-app purchases follow a set of guidelines that includes confirming orders with the company’s new receipt system.

The receipt validation protocol, which Apple unveiled on Wednesday, attaches a “unique identifier” to in-app purchase receipts. This tactic effectively thwarts the recently-discovered workaround that validated dubious “purchases” by routing them to a specialized DNS server and spoofing digital receipts. Previous to the discovery, Apple sent generic receipts containing no unique user data.

“We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases,” said Apple spokesman Tom Neumayr. “This will also be addressed with iOS 6.”

Friday’s document includes instructions on how to setup and use Apple’s new validation system as well as how to validate transactions that have already gone through.

From the document:
“A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.”

As part of the damage control measures, Apple allowed apps to access certain non-public APIs pertaining to verification and security services.

Along with the support document Apple sent out an email to developers noting the exploit will be patched in iOS 6 when the mobile operating system is released alongside an expected next-generation iPhone sometime this fall.

Stay tuned for additional details as they become available.

Share this:

On Saturday, Carbon Copy Cloner, the shareware favorite for drive cloning operations by Mike Bombich, reached version 3.5. The new version, an 8.6 megabyte download, adds the following fixes and changes:

- This version of Carbon Copy Cloner requires Mac OS X 10.6 Snow Leopard, OS X 10.7 Lion, or OS X 10.8 Mountain Lion, and is fully qualified on each of those OSes. We will continue to provide user support and bug fixes for Mac OS X 10.4 Tiger and Mac OS X 10.5 Leopard users on CCC 3.4.x for a while longer.

- Recovery HD support has been overhauled to better support the concept of “one Recovery HD partition per volume”, rather than one per disk. If you have multiple backup volumes with different OSes (e.g. Lion and Mountain Lion), CCC can associate a Recovery HD with each one and apply the appropriate OS to each Recovery HD partition.

- We have leveraged code signing within CCC for nearly five years. For GateKeeper compliance on OS X 10.8 Mountain Lion, however, CCC is now signed with an Apple Developer Certificate.

- Most of the binaries in the CCC bundle are now 32/64-bit Intel-only binaries.

- Fixed an issue that appeared in 10.7.4, specific to Macs running Lion with a 64-bit kernel, in which the /Volumes folder on the destination volume would be locked rather than hidden. This resulted in external volumes being unmountable when booted from the backup volume.

- Performance of deleting scheduled tasks is much improved.

- CCC previously encountered some performance problems when simultaneously saving very large numbers of scheduled tasks (e.g. > 29). These problems should now be resolved. This is most applicable when updating CCC, or when CCC has been moved and all tasks must be re-saved at the same time.

- Updated graphics for High Resolution support on the new MacBook Pro (Retina).